Due to increasing reliance on network-accessible computers, network security has become a major issue for organizations and individuals. To help ensure the security of their computers, organizations and individuals frequently install security devices between their private networks and public networks. A goal of such security devices is to prevent unwanted or malicious information from the public network from affecting devices in the private network. The security device may also provide “network address translation” functionality, which enables the private network to utilize a single public internet protocol (IP) address when communicating with the public network. Network address translation (NAT) may provide further security from the public network by obscuring the internal structure of the private network from the public network, as well as, reduce costs associated with maintaining a public IP address for each device located within the private network.
One example of a commonly deployed security device is a firewall. A firewall may perform NAT by re-writing the source and/or destination IP addresses included within packets that flow through the firewall. Upon receiving a packet from one of these private devices designated for the public network, the firewall, for example, re-writes the private IP source address assigned to the private device with the single public IP address. Upon receiving a return packet in response to the device's packet, the firewall re-writes the destination address of the return packet with the appropriate private IP address. In this manner, the firewall obscures the internal structure of the private network by making it appear that only one device, e.g., the firewall, sends and receives data via the single public IP address.
While a firewall that performs NAT may obscure the structure of the private network and thereby provide added security, the firewall may also prevent the private devices from participating in certain network protocols. For example, a private device behind a NAT firewall may not act as a transmission control protocol (TCP) server. That is, the private device cannot directly receive and accept a TCP session request from a client on the public side of the NAT firewall because the IP address of the private device itself is not known by devices on the public side of the firewall. The public device only knows the single public IP address used by the firewall. Because TCP requires a public device to know of the IP address of the particular device with which the TCP session is to be established, the public device cannot directly establish a TCP session with the private device behind the NAT firewall. Moreover, many of the secure protocols that operate over a TCP session may not be utilized, as these secure protocols depend on the TCP session.